Container-based virtualization system extending kernel functionality using kernel modules compiled by a compiling container and loaded by an application container

ABSTRACT

The present disclosure relates to a method for extending kernel functionality of a kernel of a container-based virtualization system. The method comprises: providing in the container-based virtualization system a compiling container for compiling kernel modules against the kernel of the container-based virtualization system, and an application container for extending kernel functionality of the kernel using a kernel module. The application container may input the kernel module to the compiling container. The compiling container may compile the kernel module in the compiling container. The application container may receive from the compiling container the compiled kernel module. The application container may load the compiled kernel module to the kernel of the system for enabling the extension of the kernel functionality.

BACKGROUND

The present invention relates to the field of digital computer systems,and more specifically, to a method for extending kernel functionality ofa kernel of a container-based virtualization system.

A container manager such as Docker is a set of coupledsoftware-as-a-service and platform-as-a-service products that useoperating-system-level virtualization to develop and deliver software inpackages called containers. However, the portability of the containersmay be limited due to their dependence on the system where they aredeployed.

SUMMARY

Various embodiments provide a method for extending kernel functionalityof a kernel of a container-based virtualization system, computer systemand computer program product as described by the subject matter of theindependent claims. Advantageous embodiments are described in thedependent claims. Embodiments of the present invention can be freelycombined with each other if they are not mutually exclusive.

In one aspect, the invention relates to a method for extending kernelfunctionality of a kernel of a container-based virtualization system.The method comprises providing in the container-based virtualizationsystem a compiling container for compiling kernel modules in thecontainer-based virtualization system, and an application container forextending kernel functionality of the kernel using a kernel module;inputting by the application container the kernel module to thecompiling container; compiling the kernel module using the compilingcontainer; receiving by the application container from the compilingcontainer the compiled kernel module; and loading by the applicationcontainer the compiled kernel module to the kernel of the system forenabling the extension of the kernel functionality.

In another aspect, the invention relates to a computer program productcomprising a computer-readable storage medium having computer-readableprogram code embodied therewith, the computer-readable program codebeing configured to extend kernel functionality of a kernel of acontainer-based virtualization system comprising a compiling containerfor compiling kernel modules in the container-based virtualizationsystem, and an application container for extending kernel functionalityof the kernel using a kernel module; the computer-readable program codebeing configured to: input the kernel module to the compiling container;receive from the compiling container the compiled kernel module; loadthe compiled kernel module to the kernel of the system for enabling theextension of the kernel functionality.

In another aspect, the invention relates to a computer system forextending kernel functionality of a kernel of a container-basedvirtualization system comprising a compiling container for compilingkernel modules in the container-based virtualization system, and anapplication container for extending kernel functionality of the kernelusing a kernel module; the computer system being configured to: controlthe application container to input the kernel module to the compilingcontainer; control the compiling container to compile the kernel module;control the application container to receive from the compilingcontainer the compiled kernel module; and to load the compiled kernelmodule to the kernel of the container-based virtualization system.

BRIEF DESCRIPTION OF THE SEVERAL VIEWS OF THE DRAWINGS

In the following embodiments of the invention are explained in greaterdetail, by way of example only, making reference to the drawings inwhich:

FIG. 1 is a block diagram of a container-based virtualization system.

FIG. 2 is a flowchart of a method for extending kernel functionality ofa kernel of a container-based virtualization system.

FIG. 3 is a block diagram of a container-based virtualization systemillustrating an example for extending the function of a Linux kernel.

FIG. 4 represents a computerized system, suited for implementing one ormore method steps as involved in the present disclosure.

FIG. 5 is a flowchart of a method for creating a reusable standardizedcompiling container to apply at least one new application against anexisting kernel source code.

FIG. 6 is a flowchart of a method for applying a new applicationcontainer which includes Linux kernel modules (LKM) into existing kernelsource code.

DETAILED DESCRIPTION

The descriptions of the various embodiments of the present inventionwill be presented for purposes of illustration, but are not intended tobe exhaustive or limited to the embodiments disclosed. Manymodifications and variations will be apparent to those of ordinary skillin the art without departing from the scope and spirit of the describedembodiments. The terminology used herein was chosen to best explain theprinciples of the embodiments, the practical application or technicalimprovement over technologies found in the marketplace, or to enableothers of ordinary skill in the art to understand the embodimentsdisclosed herein.

With the present method, the compilation of the kernel module may beperformed on the fly during operation of the application container. Thecompilation responsibility may thus be moved to a containerizationservice and operating system of the container-based virtualizationsystem. This may have the advantage that the application containers maybecome portable in that they may not depend on the system where theywill be integrated because the kernel module would be compiled there andwould be compatible with the system in which it is compiled. This is bycontrast to application containers with precompiled modules, for whichthe system has to be checked first if it is consistent with the systemwhere the kernel module has been pre-compiled. The present subjectmatter may thus prevent a lengthy process including pre-compilation ofeach kernel module in a separate system, putting the precompiled modulesin the application containers and only then integrating/using theapplication containers e.g. either during the development cycle or laterat the container deployment time. For example, when the pre-compilationof that process is done during the container image development it maysignificantly limit the environments where the resulting applicationcontainer can be deployed and run. This is because the applicationcontainer and its precompiled kernel module may need to be provided foreach supported kernel separately.

The method may further comprise using the loaded kernel module by theapplication container. For example, the application container may use anadditional kernel functionality (e.g. a driver) enabled by the kernelmodule and which may not have been available in the exiting kernel. Thepresent subject matter may enable a stable build environment in order toachieve reproducible builds that do not depend on what system is used.For example, the compiling container may be created from a compilingimage. The compiling image may be used for different systemconfigurations. The compiling container and the application containermay be provided so that they can communicate between each other.

The container-based virtualization system may be a container-basedsystem. The container-based virtualization system may enable anoperating-system-level virtualization. The OS-level virtualization maybe enabled by the kernel of the container-based virtualization systemwhich allows the existence of multiple isolated user-space instances. Acontainer of the containers of the present subject matter may be aninstance of such instances. A container manager may be installed in thecontainer-based virtualization system in order to manage (e.g. create,delete, start etc.) the containers.

According to one embodiment, providing the compiling containercomprises: building the compiling container at the container-basedvirtualization system from a compiling image, wherein the compilingcontainer is a runnable instance of the compiling image. Building thecompiling container at the system where it is used may enable a fullyautomated and efficient method. The method may be efficient as it mayprevent a multiple-attempt download of compiling images which may not besuitable for the system.

An image may be an executable package that includes everything needed torun an application—the code, a runtime, libraries, environmentvariables, and configuration files. This may enable the compilingcontainer to have access to artifacts such as a compiler, kernel source,additional compilation tools and scripts as well as test programs. Theartifacts may be provided in the compiling image of the container-basedvirtualization system from which the compiling container has beencreated. The compiling container may be automatically created during theinstallation of the container manager of the container-basedvirtualization system. The compiling container may be reused by otherapplication containers which needs to load own kernel modules.

According to one embodiment, providing the compiling container comprisesreceiving and integrating the compiling container into thecontainer-based virtualization system. This may enable a flexibleimplementation of the present method. For example, multiple sources ofimages may be used by the present method for receiving the adequatecompiling container. This may further have the advantage of saving theprocessing resources that would otherwise be required by a localcreation of the compiling container. The received compiling containermay, for example, have been created from the compiling image of thecontainer-based virtualization system in a remote system.

According to one embodiment, the container-based virtualization systemcomprises a container manager, the method further comprising before theinputting step launching the compiling and application containers by thecontainer manager, the launching enabling communication between thecompiling and application containers. The container manager may forexample be Docker or LXC. For example, the launching of the compilingand application containers may be performed by command line “dockerrun”. The container manager may provide a centralized component forcontrolling the execution of the containers of the container-basedvirtualization system. For example, the method comprises, beforelaunching the compiling container, determining if the compilingcontainer is previously launched or not. If it is previously launchedthere may be no need to launch it again. This embodiment may beadvantageous as the launching of the compiling container may beperformed once for multiple application containers and thus may saveprocessing resources that would otherwise be required by multiplelaunchings.

According to one embodiment, the container-based virtualization systemcomprises a container manager, the method further comprising before theinputting step launching the application container by the containermanager, and launching the compiling container by the applicationcontainer, the launching enabling communication between the compilingand application containers. This embodiment may be advantageous as thismay increase the portability and independency of the applicationcontainer.

In one example, the application container may be configured to createand to launch the compiling container. The compiling container may becreated from a compiling image that is present in the container-basedvirtualization system.

According to one embodiment, the compiling image is created at the timeof installation of the container manager or downloaded from a sourcedatabase. For example, the container manager may comprise a service thatis automatically executed when the container manager is installed. Theservice may be configured, once executed, to create the compiling image.In one example, the container manager may be installed at the time ofinstalling the container based virtualization system.

Having the container image at the installation time may enable to createthe compiling the container at very beginning e.g. first createdcontainer may be the compiling container. This may enable that each newadditional application container can make use of the compilingcontainer. This may increase the usage efficiency of the present method.

According to one embodiment, providing the application containercomprises: receiving the application container and integrating theapplication container into the container-based virtualization system.The received application container may be configured to be used orexecuted in the container based virtualization system. In one example,the application container may be created in the container basedvirtualization system e.g. from an application image of the containerbased virtualization system.

According to one embodiment, the method further comprises deleting thecompiling container. This may save processing resources (e.g. storage)in the container-based virtualization system. This may particularly beadvantageous as the extension of kernel functionality may not be oftenneeded.

According to one embodiment, the method further comprises rebuilding thecompiling container from the compiling image for a further functionalityextension of the kernel of the container-based virtualization system.This embodiment may make use of the existing compiling image and thusmay save resources of creating the image each time the compilingcontainer is to be created. For example, the further extension may beenabled by another kernel module of another application container or maybe enabled by another kernel module of the application container of thecontainer-based virtualization system.

In another example, the application container may be reused again (e.g.after rebooting the container-based virtualization system). For that,the compiling container may be rebuilt (if deleted) from the existingimage and the inputting, compiling, receiving and loading steps may berepeated using the rebuilt compiling container. This may be advantageousin case the loaded kernel module have been unloaded.

In another example, the application container may use another kernelmodule. For that the compiling container may be rebuilt from theexisting image and the inputting, compiling, receiving and loading stepsmay be repeated using the rebuilt compiling container in order tocompile and load the other kernel module.

According to one embodiment, each of the compiling and applicationcontainers is a Docker container. This may enable a seamless integrationof the present subject in existing systems.

According to one embodiment, the method further comprises storing thecompiled kernel module in a storage accessible by the applicationcontainer, in case the kernel module is unloaded from the kernel,reloading by the application container the stored compiled kernel moduleinto the kernel. This may particularly be advantageous as the rebootingof the container-based virtualization system may cause thedeletion/unloading of the loaded kernel module. For example, afterreloading the application container may be launched again, and afterbeing launched again it may determine that the kernel module has beenunloaded and may then reload the stored compiled kernel module into thekernel.

According to one embodiment, the method further comprises providing adisk or storage in the container-based virtualization system that isaccessible by the application and compiling container, wherein theinputting comprises: storing by the application container the kernelmodule in the disk and reading by the compiling container the kernelmodule from the disk. The disk may for example be mounted for both theapplication and the compiling container so that they can both accessthat disk. In one example, the receiving of the compiled kernel modulemay comprise storing by the compiling container the compiled kernelmodule in the disk and reading by the application container the compiledkernel module from the disk. The compiling and application container maybe configured to automatically read the content of the disk e.g. as soonas new data is stored in the disk the containers may be configured toread the content of the disk.

FIG. 1 is a block diagram of a container-based virtualization system100. The container-based virtualization system 100 comprises anoperating system 101 and a hardware component 103. The hardwarecomponent 103 may for example include a processor, memory and devicessuch as input/output devices and/or peripherals.

For example, the container-based virtualization system 100 comprises acontainer manager (or containerization service) 107 executed at least inpart by the operating system 101 for developing, delivering, installingand executing software containers. The container manager may for examplebe Docker or LXC. The container-based virtualization system 100comprises software containers 105A-N. A software container of thesoftware containers 105A-N may be created using the container manager107. In another example, a software container of the software containers105A-N may be received or imported and integrated in the container-basedvirtualization system 100 e.g. the received container may have beenbuilt in another system that has a same configuration (e.g. kernelconfiguration) as the container-based virtualization system 100.

The container manager 107 provides a set of capabilities which can beused by the application containers 105A-N. For example, the containermanager 107 may comprise a storage enabling service 111. The storageenabling service 111 may, for example, enable persistent volumes anddrivers. The container manager 107 may further comprise a networkenabling service 113 for enabling communication between the applicationcontainers 105A-N. For example, the network enabling service 113 mayenable virtual networks which can be used for intra-containerscommunication.

The operating system 101 in conjunction with the container manager 107provides isolation between software processes executing in the system100 such as application containers 105A-N. For example, the processesmay be provisioned to have a private view of the operating system suchthat two processes cannot access each other's resources. Althoughisolated, the processes may still be capable of intercommunication suchas by way of network connections or the like between the processes inthe same way as unrelated and isolated computer systems can communicatevia a network if configured and permitted to do so.

The container manager 107 may for example be configured to receive acontainer image 109 for instantiation, installation and/or execution inthe operating system 101. The container image 109 may be created and/ormodified by the container manager or another software component such asan installer. The container image 109 may be a software component forexecution as an isolated process in the operating system 101. Forexample, the container image 109 may be a Docker image obtained from acontainer repository such as the Docker registry. For example, thecontainer image 109 may be a read-only template with instructions forcreating a container. Using the container image 109 a container may beinstantiated by the container manger 107 for execution as one or moreprocesses in the operating system 101.

The application containers 105A-N may be configured to communicate witheach other. For example, a network of the container manager 107 (e.g.the network may be created by the network enabling service 113) may beused to communicate between the application containers. The network mayfor example be a bridge network of the Docker.

The software containers 105A-N comprise a compiling container (orcompilation container) 105N in accordance with the present subjectmatter. The compiling container 105N may be configured to compile akernel module such as a Linux kernel module. For example, the compilingcontainer 105N may have access to artifacts which are needed to compilethe kernel module. These are for example: kernel source files andheaders, C compiler, compilation scripts. The compiling container mayprovide a build environment for compiling the kernel module inaccordance with the configuration of the system 100.

The compiling container 105N may, for example, be created at thecontainer manager installation time. The container manager 107 may havean optional OS packages dependency defined-kernel source files package,C compiler package. If these dependencies are not met the LKMcompilation container image may not be created at the serviceinstallation time and it may not be available for the applicationcontainers.

The compiling container may be created at the time of installation ofthe container manager. This may be advantageous as the container managermay have a dependency on packages which needs to be installed in thesystem already before the installation. These packages may be used tocreate the compiling image. These packages may for example comprise akernel source package, compiler, compilation tools, libraries andscripts.

The application container 105A may, for example, comprise a kernelmodule and may use the kernel module to extend the functionality of thekernel of the operating system 101.

FIG. 2 is a flowchart of a method for extending kernel functionality ofa kernel of a container-based virtualization system e.g. 100. Forsimplification purposes, the method of FIG. 2 is described withreference to FIG. 1's system but it is not limited to the example systemof FIG. 1. The kernel functionality may, for example, be extended by adriver or a software module using an application container.

For example, the application container 105A may comprise a Linux kernelmodule. Once compiled, the Linux kernel module may be a piece ofcompiled binary code that can be inserted directly into a Linux kernelof the system 100. The loaded code may have access to everything in thesystem 100. This may enable the extension of the kernel functionality ofthe Linux kernel.

In one example, before performing step 201, the application container105A and the compiling container 105N may be launched by the containermanager. This may enable that the two containers can communicate databetween each other. For example, the compiling container may be executedor launched before the application container 105A starts. Theapplication container may be deployed and configured with LKMs sources.The compiling container may be used to compile, test and expose to theapplication container, the LKMs. In another example, the applicationcontainer may first be launched by the container manager and thelaunched application container may launch the compiling container. Afterlaunching the two containers, the application container 105A may inputin step 201 the kernel module into the compiling container 105N.

In one example, a disk may be mounted for both the application and thecompiling container so that they can both access that disk. For example,for inputting the kernel module, the application container may store thekernel module into the disk and the compiling container may read thekernel module from the disk.

In another example, the compiling container may comprise a service. Theservice, once it runs in the compiling container, may enablecommunication between the application and compiling containers so thatthe application container may input the kernel module to the compilingcontainer.

In response to receiving the kernel module as input, the compilingcontainer 105N may compile in step 203 the kernel module against theoperating system 101. And the resulting compiled kernel module may besent by the compiling container 105N to the application container 105A.

The application container 105A may receive in step 205, from thecompiling container 105N, the compiled kernel module. In one example,the application container may import the compiled kernel module from astorage e.g. the disk, where it is stored by the compiling container. Inone example, the compiling container may transmit the compiled kernelmodule to the application container.

The application container 105A may load in step 207 the compiled kernelmodule to the kernel of the operating system 101. The applicationcontainer 105A may use the loaded module in the runtime. This method mayenable the application container to become independent of the host'skernel. Once loaded, the application container may use the kernel moduleto execute its function e.g. the application container may be a databaseserver that can use the kernel module to store data using a new kernelfunctionality that is enabled by the kernel module.

FIG. 3 is a block diagram of a container-based virtualization system 300illustrating an example for extending the function of a Linux kernel301. The container-based virtualization system 300 comprises a containermanager (or containerization service) 302.

The container manager 302 comprises a storage enabling service 303. Thestorage enabling service 303 may, for example, enable persistent volumesand drivers. The container manager 302 further comprises a networkenabling service 305 for enabling communication between applicationcontainers 309A-C and 307 of the container-based virtualization system300. For example, the network enabling service 305 may enable virtualnetworks which can be used for intra-containers communication.

The application containers comprise a Linux kernel module (LKM)compilation container 307. For example, an application development teamhas tested LKM compilation in the LKM compilation container before beingused in the present method of FIG. 3 e.g. the LKM container may havebeen available and tested in a given containerization service which mayor may not be the container manager 302. LKM compilation container 307may for example be deployed in the container-based virtualization system300 from an available image.

The application container 309A has a need to load and use a LKM. Theapplication container 309A may ship LKM source files. The applicationcontainer 309A may take advantage of the LKM compilation container 307during the deployment. For example, the application container 309A sendsthe LKM source files and compiles the LKM against the currently runningLinux kernel (311). Compiled LKM binary is copied from LKM compilationcontainer 307 back to application container 309A (312). After that, theLKM compilation container 307 is deleted from the container-basedvirtualization system 300 as it may no longer be needed at this point.If another application container will also need to compile an LKManother instance of the LKM compilation container can be deployed fromthe available image. The application container 309A loads (313) thecompiled LKM into the Linux kernel 301. After that, the applicationcontainer 309A may be fully deployed and started.

FIG. 4 represents a general computerized system 400 such ascontainer-based virtualization system 100 suited for implementing methodsteps as involved in the disclosure.

It will be appreciated that the methods described herein are at leastpartly non-interactive, and automated by way of computerized systems,such as servers or embedded systems. In exemplary embodiments though,the methods described herein can be implemented in a (partly)interactive system. These methods can further be implemented in software412, 422 (including firmware 422), hardware (processor) 405, or acombination thereof. In exemplary embodiments, the methods describedherein are implemented in software, as an executable program, and isexecuted by a special or general-purpose digital computer, such as apersonal computer, workstation, minicomputer, or mainframe computer. Themost general system 400 therefore includes a general-purpose computer401.

In exemplary embodiments, in terms of hardware architecture, as shown inFIG. 4, the computer 401 includes a processor 405, memory (main memory)410 coupled to a memory controller 415, and one or more input and/oroutput (I/O) devices (or peripherals) 10, 445 that are communicativelycoupled via a local input/output controller 435. The input/outputcontroller 435 can be, but is not limited to, one or more buses or otherwired or wireless connections, as is known in the art. The input/outputcontroller 435 may have additional elements, which are omitted forsimplicity, such as controllers, buffers (caches), drivers, repeaters,and receivers, to enable communications. Further, the local interfacemay include address, control, and/or data connections to enableappropriate communications among the aforementioned components. Asdescribed herein the I/O devices 10, 445 may generally include anygeneralized cryptographic card or smart card known in the art.

The processor 405 is a hardware device for executing software,particularly that stored in memory 410. The processor 405 can be anycustom made or commercially available processor, a central processingunit (CPU), an auxiliary processor among several processors associatedwith the computer 401, a semiconductor based microprocessor (in the formof a microchip or chip set), a macroprocessor, or generally any devicefor executing software instructions.

The memory 410 can include any one or combination of volatile memoryelements (e.g., random access memory (RAM, such as DRAM, SRAM, SDRAM,etc.)) and nonvolatile memory elements (e.g., ROM, erasable programmableread only memory (EPROM), electronically erasable programmable read onlymemory (EEPROM), programmable read only memory (PROM). Note that thememory 410 can have a distributed architecture, where various componentsare situated remote from one another, but can be accessed by theprocessor 405.

The software in memory 410 may include one or more separate programs,each of which comprises an ordered listing of executable instructionsfor implementing logical functions, notably functions involved inembodiments of this invention. In the example of FIG. 4, software in thememory 410 includes instructions 412 e.g. instructions to managedatabases such as a database management system.

The software in memory 410 shall also typically include a suitableoperating system (OS) 411. The OS 411 essentially controls the executionof other computer programs, such as possibly software 412 forimplementing methods as described herein.

The methods described herein may be in the form of a source program 412,executable program 412 (object code), script, or any other entitycomprising a set of instructions 412 to be performed. When a sourceprogram, then the program needs to be translated via a compiler,assembler, interpreter, or the like, which may or may not be includedwithin the memory 410, so as to operate properly in connection with theOS 411. Furthermore, the methods can be written as an object-orientedprogramming language, which has classes of data and methods, or aprocedure programming language, which has routines, subroutines, and/orfunctions.

In exemplary embodiments, a conventional keyboard 450 and mouse 455 canbe coupled to the input/output controller 435. Other output devices suchas the I/O devices 445 may include input devices, for example but notlimited to a printer, a scanner, microphone, and the like. Finally, theI/O devices 10, 445 may further include devices that communicate bothinputs and outputs, for instance but not limited to, a network interfacecard (NIC) or modulator/demodulator (for accessing other files, devices,systems, or a network), a radio frequency (RF) or other transceiver, atelephonic interface, a bridge, a router, and the like. The I/O devices10, 445 can be any generalized cryptographic card or smart card known inthe art. The system 400 can further include a display controller 425coupled to a display 430. In exemplary embodiments, the system 400 canfurther include a network interface for coupling to a network 465. Thenetwork 465 can be an IP-based network for communication between thecomputer 401 and any external server, client and the like via abroadband connection. The network 465 transmits and receives databetween the computer 401 and external systems 30, which can be involvedto perform part or all of the steps of the methods discussed herein. Inexemplary embodiments, network 465 can be a managed IP networkadministered by a service provider. The network 465 may be implementedin a wireless fashion, e.g., using wireless protocols and technologies,such as WiFi, WiMax, etc. The network 465 can also be a packet-switchednetwork such as a local area network, wide area network, metropolitanarea network, Internet network, or other similar type of networkenvironment. The network 465 may be a fixed wireless network, a wirelesslocal area network (LAN), a wireless wide area network (WAN) a personalarea network (PAN), a virtual private network (VPN), intranet or othersuitable network system and includes equipment for receiving andtransmitting signals.

If the computer 401 is a PC, workstation, intelligent device or thelike, the software in the memory 410 may further include a basic inputoutput system (BIOS) 422. The BIOS is a set of essential softwareroutines that initialize and test hardware at startup, start the OS 411,and support the transfer of data among the hardware devices. The BIOS isstored in ROM so that the BIOS can be executed when the computer 401 isactivated.

When the computer 401 is in operation, the processor 405 is configuredto execute software 412 stored within the memory 410, to communicatedata to and from the memory 410, and to generally control operations ofthe computer 401 pursuant to the software. The methods described hereinand the OS 411, in whole or in part, but typically the latter, are readby the processor 405, possibly buffered within the processor 405, andthen executed.

When the systems and methods described herein are implemented insoftware 412, as is shown in FIG. 4, the methods can be stored on anycomputer readable medium, such as storage 420, for use by or inconnection with any computer related system or method. The storage 420may comprise a disk storage such as HDD storage.

FIG. 5 is a flowchart of a method for creating a reusable standardizedcompiling container to apply at least one new application against anexisting kernel source code. In step 501, a compiling container havingaccess to different components of a pre-installed host system like acompiler, a kernel source code, at least one special compilation tool,at least one library, at least one script, at least one test program maybe created. The compiling container may be installed in step 503 on thehost system for further usage. The compiling container may be reused instep 505 for additional application containers containing LKM (Linuxkernel modules).

FIG. 6 is a flowchart of a method for applying a new applicationcontainer which includes Linux kernel modules (LKM) into existing kernelsource code. In step 601, a compiling container may be integrated into ahost system. The new application may send in step 603 a container to thehost system carrying at least one LKM with source code. The LKM of thenew application container may be compiled in step 605. The compilationis done with the compiling container having the ability to compile theLKM directly against the running host kernel.

Various example embodiments are specified in the following clauses:

Example 1 includes a method for extending kernel functionality of akernel of a container-based virtualization system. The method comprisesproviding in the container-based virtualization system a compilingcontainer for compiling kernel modules in the container-basedvirtualization system, and an application container for extending kernelfunctionality of the kernel using a kernel module. The method furthercomprises inputting by the application container the kernel module tothe compiling container; compiling the kernel module using the compilingcontainer; receiving by the application container from the compilingcontainer the compiled kernel module; and loading by the applicationcontainer the compiled kernel module to the kernel of the system forenabling the extension of the kernel functionality.

Example 2 includes the method of example 1, wherein providing thecompiling container comprises building the compiling container at thecontainer-based virtualization system from a compiling image, whereinthe compiling container is a runnable instance of the compiling image.

Example 3 includes the method of example 1, wherein providing thecompiling container comprises receiving and integrating the compilingcontainer into the container-based virtualization system.

Example 4 includes the method of any of examples 1-3, wherein thecontainer-based virtualization system comprises a container manager andwherein the method further comprises, before the inputting step,launching the compiling and application containers by the containermanager, the launching enabling communication between the compiling andapplication containers.

Example 5 includes the method of any of examples 1-3, wherein thecontainer-based virtualization system comprises a container manager andwherein the method further comprises, before the inputting step,launching the application container by the container manager, andlaunching the compiling container by the application container, thelaunching enabling communication between the compiling and applicationcontainers.

Example 6 includes the method of any of examples 2-5, wherein thecompiling image is created at the time of installation of thecontainer-based virtualization system or downloaded from a sourcedatabase.

Example 7 includes the method of any of examples 1-6, wherein providingthe application container comprises: receiving the application containerand integrating the application container into the container-basedvirtualization system.

Example 8 includes the method of any of examples 1-7, further comprisingdeleting the compiling container.

Example 9 includes the method of example 8, further comprisingrebuilding the compiling container from the compiling image for afurther extension of the kernel of the container-based virtualizationsystem.

Example 10 includes the method of any of examples 1-9, furthercomprising storing the compiled kernel module in a storage accessible bythe application container, in case the kernel module is unloaded fromthe kernel, reloading by the application container the stored compiledkernel module into the kernel.

Example 11 includes the method of any of examples 1-10, furthercomprising providing a disk in the container-based virtualization systemthat is accessible by the application and compiling container, whereinthe inputting comprises: storing by the application container the kernelmodule in the disk and reading by the compiling container the kernelmodule from the disk.

Example 12 includes the method of any of examples 1-11, wherein each ofthe compiling and application containers is a Docker container.

Aspects of the present invention are described herein with reference toflowchart illustrations and/or block diagrams of methods, apparatus(systems), and computer program products according to embodiments of theinvention. It will be understood that each block of the flowchartillustrations and/or block diagrams, and combinations of blocks in theflowchart illustrations and/or block diagrams, can be implemented bycomputer readable program instructions.

The present invention may be a system, a method, and/or a computerprogram product. The computer program product may include a computerreadable storage medium (or media) having computer readable programinstructions thereon for causing a processor to carry out aspects of thepresent invention.

The computer readable storage medium can be a tangible device that canretain and store instructions for use by an instruction executiondevice. The computer readable storage medium may be, for example, but isnot limited to, an electronic storage device, a magnetic storage device,an optical storage device, an electromagnetic storage device, asemiconductor storage device, or any suitable combination of theforegoing. A non-exhaustive list of more specific examples of thecomputer readable storage medium includes the following: a portablecomputer diskette, a hard disk, a random access memory (RAM), aread-only memory (ROM), an erasable programmable read-only memory (EPROMor Flash memory), a static random access memory (SRAM), a portablecompact disc read-only memory (CD-ROM), a digital versatile disk (DVD),a memory stick, a floppy disk, a mechanically encoded device such aspunch-cards or raised structures in a groove having instructionsrecorded thereon, and any suitable combination of the foregoing. Acomputer readable storage medium, as used herein, is not to be construedas being transitory signals per se, such as radio waves or other freelypropagating electromagnetic waves, electromagnetic waves propagatingthrough a waveguide or other transmission media (e.g., light pulsespassing through a fiber-optic cable), or electrical signals transmittedthrough a wire.

Computer readable program instructions described herein can bedownloaded to respective computing/processing devices from a computerreadable storage medium or to an external computer or external storagedevice via a network, for example, the Internet, a local area network, awide area network and/or a wireless network. The network may comprisecopper transmission cables, optical transmission fibers, wirelesstransmission, routers, firewalls, switches, gateway computers and/oredge servers. A network adapter card or network interface in eachcomputing/processing device receives computer readable programinstructions from the network and forwards the computer readable programinstructions for storage in a computer readable storage medium withinthe respective computing/processing device.

Computer readable program instructions for carrying out operations ofthe present invention may be assembler instructions,instruction-set-architecture (ISA) instructions, machine instructions,machine dependent instructions, microcode, firmware instructions,state-setting data, or either source code or object code written in anycombination of one or more programming languages, including an objectoriented programming language such as Smalltalk, C++ or the like, andconventional procedural programming languages, such as the “C”programming language or similar programming languages. The computerreadable program instructions may execute entirely on the user'scomputer, partly on the user's computer, as a stand-alone softwarepackage, partly on the user's computer and partly on a remote computeror entirely on the remote computer or server. In the latter scenario,the remote computer may be connected to the user's computer through anytype of network, including a local area network (LAN) or a wide areanetwork (WAN), or the connection may be made to an external computer(for example, through the Internet using an Internet Service Provider).In some embodiments, electronic circuitry including, for example,programmable logic circuitry, field-programmable gate arrays (FPGA), orprogrammable logic arrays (PLA) may execute the computer readableprogram instructions by utilizing state information of the computerreadable program instructions to personalize the electronic circuitry,in order to perform aspects of the present invention.

Aspects of the present invention are described herein with reference toflowchart illustrations and/or block diagrams of methods, apparatus(systems), and computer program products according to embodiments of theinvention. It will be understood that each block of the flowchartillustrations and/or block diagrams, and combinations of blocks in theflowchart illustrations and/or block diagrams, can be implemented bycomputer readable program instructions.

These computer readable program instructions may be provided to aprocessor of a general-purpose computer, special purpose computer, orother programmable data processing apparatus to produce a machine, suchthat the instructions, which execute via the processor of the computeror other programmable data processing apparatus, create means forimplementing the functions/acts specified in the flowchart and/or blockdiagram block or blocks. These computer readable program instructionsmay also be stored in a computer readable storage medium that can directa computer, a programmable data processing apparatus, and/or otherdevices to function in a particular manner, such that the computerreadable storage medium having instructions stored therein comprises anarticle of manufacture including instructions which implement aspects ofthe function/act specified in the flowchart and/or block diagram blockor blocks.

The computer readable program instructions may also be loaded onto acomputer, other programmable data processing apparatus, or other deviceto cause a series of operational steps to be performed on the computer,other programmable apparatus or other device to produce a computerimplemented process, such that the instructions which execute on thecomputer, other programmable apparatus, or other device implement thefunctions/acts specified in the flowchart and/or block diagram block orblocks.

The flowchart and block diagrams in the Figures illustrate thearchitecture, functionality, and operation of possible implementationsof systems, methods, and computer program products according to variousembodiments of the present invention. In this regard, each block in theflowchart or block diagrams may represent a module, segment, or portionof instructions, which comprises one or more executable instructions forimplementing the specified logical function(s). In some alternativeimplementations, the functions noted in the block may occur out of theorder noted in the figures. For example, two blocks shown in successionmay, in fact, be executed substantially concurrently, or the blocks maysometimes be executed in the reverse order, depending upon thefunctionality involved. It will also be noted that each block of theblock diagrams and/or flowchart illustration, and combinations of blocksin the block diagrams and/or flowchart illustration, can be implementedby special purpose hardware-based systems that perform the specifiedfunctions or acts or carry out combinations of special purpose hardwareand computer instructions.

The invention claimed is:
 1. A method for extending kernel functionalityof a kernel of a container-based virtualization system, the methodcomprising: providing in the container-based virtualization system acompiling container for compiling kernel modules in the container-basedvirtualization system, and an application container for extending kernelfunctionality of the kernel using a kernel module; inputting by theapplication container the kernel module to the compiling container;compiling the kernel module using the compiling container; receiving bythe application container from the compiling container the compiledkernel module; loading by the application container the compiled kernelmodule to the kernel of the system for enabling the extension of thekernel functionality.
 2. The method of claim 1, wherein providing thecompiling container comprises: building the compiling container at thecontainer-based virtualization system from a compiling image, whereinthe compiling container is a runnable instance of the compiling image.3. The method of claim 2, wherein the compiling image is created at thetime of installation of the container-based virtualization system ordownloaded from a source database.
 4. The method of claim 1, wherein thecontainer-based virtualization system comprises a container manager, themethod further comprising: before the inputting step, launching thecompiling and application containers by the container manager, thelaunching enabling communication between the compiling and applicationcontainers.
 5. The method of claim 1, wherein the container-basedvirtualization system comprises a container manager, the method furthercomprising: before the inputting step, launching the applicationcontainer by the container manager, and launching the compilingcontainer by the application container, the launching enablingcommunication between the compiling and application containers.
 6. Themethod of claim 1, wherein providing the compiling container comprisesreceiving and integrating the compiling container into thecontainer-based virtualization system.
 7. The method of claim 1, whereinproviding the application container comprises: receiving the applicationcontainer and integrating the application container into thecontainer-based virtualization system.
 8. The method of claim 1, furthercomprising deleting the compiling container.
 9. The method of claim 8,further comprising rebuilding the compiling container from the compilingimage for a further functionality extension of the kernel of thecontainer-based virtualization system.
 10. The method of claim 1,further comprising storing the compiled kernel module in a storageaccessible by the application container, in case the kernel module isunloaded from the kernel, reloading by the application container thestored compiled kernel module into the kernel.
 11. The method of claim1, further comprising providing a disk in the container-basedvirtualization system that is accessible by the application andcompiling container, wherein the inputting comprises: storing by theapplication container the kernel module in the disk and reading by thecompiling container the kernel module from the disk.
 12. The method ofclaim 1, wherein each of the compiling and application containers is aDocker container.
 13. A computer program product comprising acomputer-readable storage medium having computer-readable program codeembodied therewith, the computer-readable program code being configuredto extend kernel functionality of a kernel of a container-basedvirtualization system comprising a compiling container for compilingkernel modules against the kernel of the container-based virtualizationsystem, and an application container for extending kernel functionalityof the kernel using a kernel module; wherein the computer-readableprogram code, when executed by a processor, causes the applicationcontainer to: input the kernel module to the compiling container;receive from the compiling container the compiled kernel module; andload the compiled kernel module to the kernel of the system for enablingthe extension of the kernel functionality.
 14. The computer programproduct of claim 13, wherein the computer-readable program code isfurther configured to cause the processor to build the compilingcontainer from a compiling image, wherein the compiling container is arunnable instance of the compiling image.
 15. The computer programproduct of claim 14, wherein the compiling image is created at the timeof installation of the container-based virtualization system ordownloaded from a source database.
 16. The computer program product ofclaim 14, further being configured to rebuild the compiling containerfrom the compiling image for a further functionality extension of thekernel of the container-based virtualization system.
 17. The computerprogram product of claim 13, wherein the computer-readable program codeis further configured to cause the processor to delete the compilingcontainer.
 18. The computer program product of claim 13, wherein thecomputer-readable program code is further configured to cause theprocessor to receive and integrate the compiling container into thecontainer-based virtualization system.
 19. The computer program productof claim 13, wherein each of the compiling and application containers isa Docker container.
 20. A computer system for extending kernelfunctionality of a kernel of a container-based virtualization system,the computer system comprising: a memory configured to store programcode; and a processor coupled to the memory and configured to executethe program code to implement a compiling container for compiling kernelmodules against the kernel of the container-based virtualization system,and an application container for extending kernel functionality of thekernel using a kernel module; wherein the processor is furtherconfigured to: control the application container to input the kernelmodule to the compiling container; control the compiling container tocompile the kernel module; and control the application container toreceive, from the compiling container, the compiled kernel module and toload the compiled kernel module to the kernel of the container-basedvirtualization system.